CVE-2025-1302: Remote Code Execution vulnerability in jsonpath-plus before 10.3.

CVE-2025-1302 is a security vulnerability affecting the open-source package jsonpath-plus. Versions before 10.3. are susceptible to Remote Code Execution (RCE) attacks due to improper input sanitization. The underlying issue is that an attacker can execute arbitrary code on the system by exploiting the unsafe default usage of eval='safe' mode. This is caused by an incomplete fix for CVE-2024-21534.

In this post, we'll take a deep dive into the vulnerability details, how it works, and how you can mitigate the risk by applying a security patch or upgrading your software.

Vulnerability Details

In the package jsonpath-plus, the unsafe default usage of eval='safe' mode makes it vulnerable to RCE attacks. This vulnerability affects the jp.parse method which is called by the package internally when evaluating JSONPath expressions.

The issue arises from the usage of the JavaScript eval() function which evaluates and executes a string as a JavaScript expression. Using the eval function on unsafe and unsanitized input could allow an attacker to inject and execute arbitrary code on the affected system.

Proof of Concept (PoC): The following code snippet demonstrates how this vulnerability can be exploited:

const jp = require('jsonpath-plus');
const malicious_input = '{"__proto__": {"payload":"; console.log(\'exploited\');" } }';
const sanitized_input = JSON.parse(malicious_input);
jp.parse(sanitized_input, {eval: 'unsafe'});

In this example, the attacker created a malicious JSON object containing a payload that the system would execute using the eval() function. The console.log() statement is an arbitrary code execution demonstrating the RCE vulnerability.

For a detailed explanation on the origins of this vulnerability, you can refer to these documents

- CVE-2025-1302 entry in the CVE List
- SNYK-JS-JSONPATHPLUS-7945884: This is the incomplete fix for the previous vulnerability, which led to the current CVE-2025-1302 vulnerability.

Exploit Details

To exploit this vulnerability, an attacker needs to craft a malicious payload containing JavaScript code that would be executed using the eval() function. By sending the payload through an application that uses the jsonpath-plus package, an attacker can execute arbitrary code on the affected system.

The severity of the exploit varies according to the affected system's privileges and security measures. In a worst-case scenario, the attacker may gain complete control over the system, leading to unauthorized data access, data corruption, or a potential Denial of Service (DoS) attack.

To protect your application from the CVE-2025-1302 vulnerability, you should follow these steps

1. Upgrade jsonpath-plus to version 10.3. or later. This version contains a security fix for the RCE vulnerability and should be used in your projects to ensure proper input sanitization.

2. Review your code for usage of eval() function. The eval() function can be a potential security risk if used to evaluate untrusted input. Replace its usage with safer alternatives such as JSON.parse() or other methods provided by the JavaScript language.

3. Implement input validation and sanitization for any JSON data your application processes, especially when using third-party packages.

By following these steps, you can effectively mitigate the risk of the CVE-2025-1302 vulnerability in your applications and systems. Always stay updated on the latest security patches and upgrades to keep your software safe and secure.

Timeline

Published on: 02/15/2025 05:15:11 UTC